Koozali.org formerly Contribs.org

Latest Apple iPhone iOS 10 update and SME Self Signed Certificates

Offline gbentley

  • *
  • 468
  • Forum Lurker
    • Earth
Hi!

Has anyone else seen problems with their remote iPhones that have recently been updated [10.x.x something] and connecting via IMAPS, SMTPS ?

The latest update on some phones removes the option to 'Trust' the cert [think it only allows Delete or Cancel]

Have several users going crazy saying email on their phone is critical!

If you have seen this, and or know of any workaround etc please post!

Tia!
"If you don't know what you want, you end up with a lot you don't."

Offline Stefano

  • *
  • 10,779
  • Skype account: maghissimo
    • Smeserver italian community
Re: Latest Apple iPhone iOS 10 update and SME Self Signed Certificates
« Reply #1 on: November 23, 2016, 05:07:15 PM »
See here

https://forums.contribs.org/index.php/topic,52743.0.html
In italian, but poster can answer you in english
Consulente di Smeserver.it -  Soluzioni e supporto su Sme server in Italia

Offline gbentley

  • *
  • 468
  • Forum Lurker
    • Earth
Re: Latest Apple iPhone iOS 10 update and SME Self Signed Certificates
« Reply #2 on: November 23, 2016, 05:38:51 PM »
Post using Google Translate

Quote
Apple must die !!! :Grin:

That said ... I expose the problem encountered and the solution hoping to be helpful to someone.

With the "old" versions of IOS (at least until the ninth working) when you had to setup a new server with EMS mail and self-signed certificate was enough simply being configured account, accept the self-signed certificate and all was smooth, the 'Apple tool accepted and saved the "allowed" to use the "unsafe" certificate and everything worked properly.

With the arrival of IOS 10 seems to Apple have decided not to allow the acceptance of the certificate during configuration, you must install it before. Given that the e-mail setup can still be completed, you notice that you can "see" in imap email but can not send them.

In order to enable the sending of email without an error it is necessary to export the certificate (in Base64 format), send it as an email attachment and open the attachment on your phone or tablet from Apple.
By doing so you will get to install it properly.

I also have a couple of screenshots but I can not find how to attach them (you have disabled the function?)

Guess I'll be needing some cli certificate export mojo to do this :)

"If you don't know what you want, you end up with a lot you don't."

Re: Latest Apple iPhone iOS 10 update and SME Self Signed Certificates
« Reply #3 on: November 23, 2016, 06:17:00 PM »
Need only Chrome... can export certificate from Chrome ;)
Smeserver.it -  Soluzioni e supporto su Sme server in Italia

Offline gbentley

  • *
  • 468
  • Forum Lurker
    • Earth
Re: Latest Apple iPhone iOS 10 update and SME Self Signed Certificates
« Reply #4 on: November 23, 2016, 06:34:19 PM »
Going to server manager and clicking on the crossed out red HTTPS from within Chrome I get;

Security Overview
This page is insecure (broken HTTPS)
Certificate Error
There are issues with the site's certificate chain (net::ERR_CERT_COMMON_NAME_INVALID).
Obsolete Connection Settings
The connection to this site uses an obsolete protocol (TLS 1.0), an obsolete key exchange (RSA), and an obsolete cipher (AES_128_CBC with HMAC-SHA1).

I can still export it however as Base64 Encoded X.509 (*.cer)
« Last Edit: November 23, 2016, 07:01:07 PM by gbentley »
"If you don't know what you want, you end up with a lot you don't."

Offline DanB35

  • ****
  • 764
    • http://www.familybrown.org
Re: Latest Apple iPhone iOS 10 update and SME Self Signed Certificates
« Reply #5 on: November 23, 2016, 11:22:46 PM »
Or install John Crisp's contrib for Let's Encrypt and get a real trusted cert, that renews automatically, for free.  https://wiki.contribs.org/Letsencrypt
......

Re: Latest Apple iPhone iOS 10 update and SME Self Signed Certificates
« Reply #6 on: November 30, 2016, 11:25:46 AM »
G Bentley
Quote
Has anyone else seen problems with their remote iPhones that have recently been updated [10.x.x something] and connecting via IMAPS, SMTPS ?

I came across this last week. After a lot of head scratching and muttering about Tim Cooke's parentage, I did succeed in resolving this.
1 I deleted the mail account completely (IMAPS)
2 Recreated the account. It then gave 3 options re certificates. By following the links for details I was able to trust the certificate.
3 It then went on to verify the account (took a while) and email reception was restored.
4 The SMTP server verified as being on Port 25 SSL which is not correct.
5 I edited the SMTP and changed it to Port 465 SSL. It then went off and re-verified the SMTP account.
6 This was a hit and miss affair and it took and incredibly long time to finally verify after 4 or 5 attempts which failed.

I should say the IMAPS server and the smtp server are both the same SME running on Ports 993 & 465 respectively (default)

I am not suggesting this is the holy grail for resolution. Far from it, however this is what finally worked for me after much shagging around and an incredible amount of consumed time. Really, it should not be this hard but this may help someone or become the starting point for a more streamlined resolution. Thanks heaps Apple (not).

Peter

BTW Other option is to throw the iPhones away and go to android. They dont go through all this nonsense, they 'just work'
« Last Edit: November 30, 2016, 11:33:58 AM by p-jones »
...

Offline gbentley

  • *
  • 468
  • Forum Lurker
    • Earth
Re: Latest Apple iPhone iOS 10 update and SME Self Signed Certificates
« Reply #7 on: December 02, 2016, 06:38:29 AM »
I ended up deleting the accounts on over 20 phones, a mix of mostly iphones and a few windows phones. The 3 android phones work perfectly. This was after getting a commercial cert installed from ssl.com which frankly has not helped the situation and I should likely have just stuck with sme self cert.

On the iphones at 10.1.1 following the initial new account screen which just asks for email, un+pw, the setup page allows you to specify server hostnames passwords and ports, so the phone is being given exactly the right info. On hostnames there is some question over using the ip address that our microwave provider has allocated to the circuit our mail goes over. I have even tried entering the email address in the form user@ip.add.ress on the initial setup screen which helped in some cases.

Anyway, after two days of messing about, not really finding a reason or any answers I was called the very next day to say that a large number of phones will receive but not send - with exactly the same problem of not trusting the cert but for outgoing only?

My assumption is that the same cert is being used for both imaps and smtps? What gives?

So, back in today to see if I can get some some answers  :shock:

Think I am up against it though. The phones providers radio gets 1-2 bars at best and relies on their network switches & circuits and at the other end is our microwave provider and their network switches and circuits. Over the years the one thing I have nearly almost always found to be reliable and not to blame is sme  :grin: 

Doesn't help when reading stuff like this - makes you wonder what changes providers are making...

https://www.theguardian.com/technology/2016/dec/01/uk-homes-lose-internet-access-after-cyber-attack

Btw 'shagging around' in the UK wouldn't do your reputation much good [unless you are one of a group of 18 yo males lol]


« Last Edit: December 02, 2016, 06:49:51 AM by gbentley »
"If you don't know what you want, you end up with a lot you don't."

Offline gbentley

  • *
  • 468
  • Forum Lurker
    • Earth
Re: Latest Apple iPhone iOS 10 update and SME Self Signed Certificates
« Reply #8 on: December 02, 2016, 07:00:41 AM »
Out of interest I copied our commercial cert onto our webserver, and after deleting the mail account from the phone, installed it via the url. The iphones totally accepted and installed the cert as if all was well. However after re-creating the mail account, incoming works but outgoing doesn't with 'un-trusted cert' error and no option other than cancel or 'see details' - so no 'accept' or 'continue'

A similar problem is reported in the iphone forums however since getting bogged down with all this its worth noting that two Windows phones are doing something similar but the android phones go straight through and work immediately.

The best out of all of them was the Samsung S6 imho
« Last Edit: December 02, 2016, 07:03:55 AM by gbentley »
"If you don't know what you want, you end up with a lot you don't."

Re: Latest Apple iPhone iOS 10 update and SME Self Signed Certificates
« Reply #9 on: December 02, 2016, 07:01:22 AM »
Quote
Btw 'shagging around' in the UK wouldn't do your reputation much good [unless you are one of a group of 18 yo males lol]

Luckily, I am NOT in the UK and being an 18 yr old was a long, long, long time ago !
...

Offline gbentley

  • *
  • 468
  • Forum Lurker
    • Earth
iPhone iOS 10.1.1 update & SME Self Signed Certificates [WORKAROUND]
« Reply #10 on: December 02, 2016, 02:51:52 PM »
Turns out the Windows phones just wanted the 'Trust' button pressed [comes up 'Your Account Needs Attention'] - so the Android and Windows phones [3 of each] all worked so this really is just the iPhones.

To update on this, when setting up the account on the first screen I enter username@wanipaddress for email address
On the next screen I correct the above address and continued as usual
For outgoing I have used our ISP Auth SMTP server details and un+pw

To summarise: On iPhones upgraded to 10.1.1 incoming mail worked but outgoing was failing.
The above fixes it but only after removing the account and starting afresh.
« Last Edit: December 02, 2016, 02:53:28 PM by gbentley »
"If you don't know what you want, you end up with a lot you don't."

Re: Latest Apple iPhone iOS 10 update and SME Self Signed Certificates
« Reply #11 on: January 05, 2017, 11:14:40 AM »
the easiest way is to remove the old account the create a new account for example test and reconfigure it on iphone it will succeed  then remove the test account and reconfigure your account

Offline gbentley

  • *
  • 468
  • Forum Lurker
    • Earth
Re: Latest Apple iPhone iOS 10 update and SME Self Signed Certificates
« Reply #12 on: January 05, 2017, 11:23:31 AM »
Pretty much what I said in my last paragraph. The problem comes when users 'don't have the knowledge' to setup their phones / email account from scratch - and are in/out of the office at different times. Of course its always your fault you weren't in when they where and not vice-versa!
"If you don't know what you want, you end up with a lot you don't."

Offline ReetP

  • *
  • 1,979
Re: Latest Apple iPhone iOS 10 update and SME Self Signed Certificates
« Reply #13 on: January 05, 2017, 04:33:33 PM »
Hence prevention is better than cure - there were reports that this would happen circulating for some long time.

As a result of that, and other issues, I decided to make the letsencrypt contrib (and a huge pat on the back to Dan Brown for his help). iOS 10 came and went for my wife without a murmur ;-) Note that I had been using 's' connections for some long while.

Anyway, in that vein, and bearing mind you are still on v8, you REALLY need to be moving to v9 before v8 goes EOL

31st March 2017 I believe is the date.

v9 is supported to 30th November 2020

Time to lace on those skates :-)

B. Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline gbentley

  • *
  • 468
  • Forum Lurker
    • Earth
Re: Latest Apple iPhone iOS 10 update and SME Self Signed Certificates
« Reply #14 on: January 05, 2017, 05:37:26 PM »
Backed up and upgraded on 29/12/16 - went smooth as silk  :-D :-D
"If you don't know what you want, you end up with a lot you don't."